karmada icon indicating copy to clipboard operation
karmada copied to clipboard

Published 20 hours ago verified publisher icon karmada-io

cfssl checksum mismatch

Open wzshiming opened this issue 2 years ago • 14 comments

What happened:

GOPROXY=https://goproxy.io go install github.com/cloudflare/cfssl/cmd/[email protected]
go: github.com/cloudflare/cfssl/cmd/[email protected]: github.com/cloudflare/[email protected]: verifying module: checksum mismatch
        downloaded: h1:V7EcbVzttAkK3J7PmAxjf7wD7UpMtWSCI+Wl+mu87mw=
        sum.golang.org: h1:3T2oQHypP81rykPfkTxOCyJkRU3xQz5SySVahMpN5LE=

What you expected to happen:

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

Environment:

  • Karmada version: latest
  • kubectl-karmada or karmadactl version (the result of kubectl-karmada version or karmadactl version):
  • Others:

wzshiming avatar Nov 01 '22 09:11 wzshiming

/assign

wzshiming avatar Nov 01 '22 09:11 wzshiming

Can you tell us how to reproduce it? By the way, can you show the output of go env GOPROXY?

RainbowMango avatar Nov 01 '22 09:11 RainbowMango

GOPROXY=https://goproxy.io go install github.com/cloudflare/cfssl/cmd/[email protected]

wzshiming avatar Nov 01 '22 12:11 wzshiming

This means that the tag has been force-pushed, and goproxy.io has cached the tag without updating it.

wzshiming avatar Nov 01 '22 12:11 wzshiming

GOPROXY=https://goproxy.io go install github.com/cloudflare/cfssl/cmd/[email protected]

It works well on my side. What's your GOSUMDB?

go env GOSUMDB

ikaven1024 avatar Nov 01 '22 12:11 ikaven1024 

go env GOSUMDB
sum.golang.org

wzshiming avatar Nov 01 '22 12:11 wzshiming 

docker run --rm -it docker.io/library/golang:alpine sh -c 'GOPROXY=https://goproxy.io go install github.com/cloudflare/cfssl/cmd/[email protected]'

go: downloading github.com/cloudflare/cfssl v1.6.2
go: github.com/cloudflare/cfssl/cmd/[email protected]: github.com/cloudflare/[email protected]: verifying module: checksum mismatch
        downloaded: h1:V7EcbVzttAkK3J7PmAxjf7wD7UpMtWSCI+Wl+mu87mw=
        sum.golang.org: h1:3T2oQHypP81rykPfkTxOCyJkRU3xQz5SySVahMpN5LE=

SECURITY ERROR
This download does NOT match the one reported by the checksum server.
The bits may have been replaced on the origin server, or an attacker may
have intercepted the download attempt.

For more information, see 'go help module-auth'.

wzshiming avatar Nov 01 '22 12:11 wzshiming

GOPROXY=https://goproxy.io go install github.com/cloudflare/cfssl/cmd/[email protected]

It works well on my side. What's your GOSUMDB?

go env GOSUMDB

Maybe had cached in your machine

wzshiming avatar Nov 01 '22 12:11 wzshiming

I guess it's the goproxy.io's problem, it might cached the wrong code.

RainbowMango avatar Nov 01 '22 12:11 RainbowMango

I tested the command you provided, it will return the same SECURITY ERROR as you said.

GOPROXY=https://goproxy.io/ go install github.com/cloudflare/cfssl/cmd/[email protected]

I deleted ~/go/pkg, so there will be no cache. Then I changed to https://goproxy.cn/, everything is fine.

GOPROXY=https://goproxy.cn/ go install github.com/cloudflare/cfssl/cmd/[email protected]

cmicat avatar Nov 02 '22 03:11 cmicat

@wzshiming I suggest reporting this issue to goproxy.io.

RainbowMango avatar Nov 02 '22 03:11 RainbowMango

well, we'd better bump to avoid this issue Please have a look at #2723

wzshiming avatar Nov 02 '22 06:11 wzshiming

@wzshiming I suggest reporting this issue to goproxy.io.

It may not be a issue of goproxy.io, but rather that github.com/cloudflare/cfssl's tag v1.6.2 has been force-pushed

wzshiming avatar Nov 04 '22 08:11 wzshiming

github.com/cloudflare/cfssl's tag v1.6.2 has been force-pushed

Each version will be cached by proxy.golang.org and sum.golang.org will record the checksum. If the maintainer re-tagged the version, then we can't install it with sum.golang.org.

RainbowMango avatar Nov 04 '22 09:11 RainbowMango

@wzshiming have you figured out the root cause?

RainbowMango avatar Dec 07 '22 07:12 RainbowMango